December 10, 2022

Telstra-Webmail

Skillful Technology Connoisseurs

Home » personal data protection bill: Free cross-border flow of data within trusted nations mooted

personal data protection bill: Free cross-border flow of data within trusted nations mooted

The Centre has proposed free cross-border flow of data pertaining to Indian users within “trusted” jurisdictions in the latest draft of the Digital Personal Data Protection Bill, 2022, which was released for public consultation on Friday.

The shortened Bill — containing only 30 clauses compared to 99 clauses in earlier versions —also mandates that users be informed of the purpose of data collection and the agencies with which it’s being shared, in “plain and simple language” including in regional languages. Users will also have the right to withdraw consent and seek for erasure or correction of personal data.

ET was the first to report on the provisions of the
new data Bill in its edition dated November 16.

Terming the Bill “technology agnostic, simple to read and implementation (as) completely digital by design,” the union minister of electronics & information technology, railways and communication Ashwani Vaishnaw said the proposed legislation would “allow the start-up ecosystem to grow and (that) some of the provisions of the Bill will be emulated by the world.”
“We have drafted this bill keeping all established principles of privacy and the global experience,” the minister told ET.

Pointing out that Indian languages have been given their due with notices, consents, required to be in any one of the Indian languages specified in Eighth Schedule, Vaishnaw said in line with the government’s focus on women, the draft legislation uses only ” female pronouns in the bill”.

Discover the stories of your interest



Comprehensive Framework


The draft also calls for stiff penalties – going up to a maximum of Rs 500 crore – in the event of a data breach as well as failure to intimate users or the government about it.

It also proposes the establishment of a digital Data Protection Board of India, to adjudicate disputes of abuse and misuse of personal data, along with deciding the penalties. The board—comprising a chairperson and several full-time and part-time members—will also have the power to summon and examine people under oath, inspect any data, book, document or register, books of account of any other document of a data fiduciary if such a need arises.

Calling the DPDP Bill a “modern legislation”, the minister of state for information technology Rajeev Chandrasekhar said that the new draft of the bill is “a part of a comprehensive framework of laws and rules that include the IT rules, DPDP bill, National Data Governance Framework Policy and a new Digital India Act”.

“(The draft) achieves the seemingly contradictory objectives of data protection of our citizens, ease of doing business for industry and public interest of efficient governance and national security,” Chandrasekhar said.

In the draft bill, the government has retained the definition of ‘child’ to be anyone who has not attained the age of 18 and mandated that parental consent is needed for the processing of data of a child.

The provision is unlikely to go down well with big tech companies such as Google, and Meta, which have several users in the below-18 category.

Rama Vedashree, the former chief executive officer at Data Security Council of India said there is “no confusion” of it being an overall data protection bill and including non-personal data. “I think they are reinforcing well the principles of consent and role of DP Board.

However, Vedashree — who served on the Justice BN Srikrishna committee that drafted the first version of the Personal Data Protection Bill in 2018—is of the view that there are no “checks and balances on the central government’s power to exempt any data fiduciary being exempt from the bill.”

“The bill would hopefully become a little more “comprehensive” after the public consultations, she added.

Others such as The Internet Freedom Foundation held that the draft had “a lack of legislative guidance throughout”. “For the 30 clauses, we have noticed the phrase, ‘as may be prescribed’ mentioned 18 times, often without any legislative guidance. This creates vague, unguided power for the Union Government to frame rules,” the policy advocacy group said.

The draft Bill has also introduced the concept of a third-party agency called the consent manager, which will manage, review or withdraw consent on behalf of a user through a transparent and interoperable platform.

The government has also introduced the concept of a significant data fiduciary based on parameters such as the volume and sensitivity of personal data being processed, the risk of harm to the data principal, and national security,

The Significant Data Fiduciary can appoint a Data Protection Officer and an Independent Data Auditor who will evaluate its compliance with the regulations.

Users will also have the right to obtain a summary of the personal data; and identities of all the Data Fiduciaries with whom the personal data has been shared.

The draft of the new bill also proposes that in case a data processor or data fiduciary fails to take reasonable security safeguards to prevent personal data breach, a penalty of up to Rs 250 crore would be levied. If such data processors or fiduciaries fail to notify the data board or impacted individuals whose data has been leaked, a penalty of up to Rs 200 crore would be imposed. On the other hand, non-fulfilment of additional obligations in relation to Children could also attract a penalty of Rs 200 crore.

The draft of the bill “is a good example of smart law which is simple and nimble, and manages the interests of the stakeholders,” senior Supreme Court advocate Gopal Jain told ET.